Authentication
The Directory API uses API Key authentication for machine-to-machine access. Every request must include a valid API key in the X-API-Key HTTP header.
Request Header
GET /v1/businesses HTTP/1.1
Host: rjpxllsycikfabazvkdh.supabase.co/functions/v1/directory-api
X-API-Key: bym_live_a1b2c3d4e5f6...
Content-Type: application/jsonAPI Key Format
API keys are 48-character random strings prefixed with bym_. The key prefix (first 8 characters) is stored for identification, while the full key is hashed with SHA-256 before storage.
| Property | Value |
|---|---|
| Header name | X-API-Key |
| Key length | 48 characters |
| Key format | bym_ + 44 random alphanumeric characters |
| Hash algorithm | SHA-256 |
| Storage | Only the hash is stored; the raw key is shown once at creation |
Permission Scopes
Each API key has a set of permission scopes that determine which endpoints it can access. Request only the scopes you need.
| Scope | Description | Endpoints |
|---|---|---|
businesses.read | Read business data | GET /v1/businesses/* |
businesses.write | Create/update businesses | POST/PUT /v1/businesses/* |
products.read | Read product data | GET /v1/products/* |
products.write | Create/update products | POST/PUT /v1/products/* |
categories.read | Read categories | GET /v1/categories/*, GET /v1/product-categories |
regions.read | Read regions and countries | GET /v1/regions/*, GET /v1/countries |
rfq.write | Create and manage RFQs | POST/PUT /v1/rfq/* |
rfq.read | Read RFQs and quotes | GET /v1/rfq/* |
quotes.write | Submit supplier quotes | POST /v1/rfq/:id/quotes |
search | Keyword, semantic & hybrid search | GET /v1/search, /v1/semantic-search, /v1/hybrid-search |
agent.query | AI Agent Gateway access | POST agent-gateway |
webhooks.manage | Manage webhook subscriptions | /v1/webhooks/* |
Rate Limiting
Each API key has a configurable rate limit (default: 60 requests per minute). When the limit is exceeded, the API returns a 429 Too Many Requests response.
Rate Limit Error Responsejson
{
"error": "Rate limit exceeded. Try again in 45 seconds.",
"data": null
}Authentication Errors
| Status | Error | Cause |
|---|---|---|
| 401 | Missing API key | No X-API-Key header provided |
| 401 | Invalid API key | Key not found or has been deactivated |
| 401 | API key expired | Key has passed its expires_at date |
| 403 | Insufficient permissions | Key does not have the required scope for this endpoint |
Last updated on February 23, 2026